CC6.1
SOC 2 CC6.1 requires that your organisation implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet your organisation’s objectives.
CC6.1 highlights the following points of focus:
Identifies and Controls the Inventory of Information Assets
The organisation should recognise, inventory, categorise, and manage its information assets.
Restricts Logical Access
Logical access to information assets should be restricted through the use of access control software and rule sets. Assets include:
- Hardware
- Data (at-rest, throughout processing, or in transmission)
- Software
- Administrative authorities
- Mobile devices
- Output
- Offline system elements.
Identifies and Validates Users
Individuals, infrastructure and software should be recognised and verified prior to being given access to information assets, whether locally or remotely.
Considers Network Segmentation
Network segmentation should permit disparate portions of your organisation’s information system to be isolated from one another.
Oversees Points of Access
Points of access by external bodies and the types of data that flow through the points of access should be recognised, inventoried, and controlled. The types of individuals and systems using each point of access should also be identified, documented, and controlled.
Limits Access to Information Assets
To establish access-control rules for information assets, combinations of the following should be used:
- Data classification
- Separate data structures
- Port restrictions
- Access protocol restrictions
- User identification
- Digital certificates.
Oversees Identification and Verification
Your organisation should establish, document and manage identification and authentication requirements for individuals and systems accessing organisational information, infrastructure, and software.
Manages Credentials for Infrastructure and Software
New internal and external infrastructure and software should be registered, authorised, and recorded prior to being given access credentials and implemented on the network or access point. When access is no longer required or the infrastructure and software are no longer in use, credentials should be removed and access disabled.
Uses Encryption to Protect Data
Your organisation should use encryption to support other measures used to protect data at rest, when such safeguards are considered necessary based on assessed risk.
Protects Encryption Keys
Procedures should be in place to safeguard encryption keys during creation, storage, use, and destruction.
CC6.2
SOC 2 CC6.2 requires that, prior to issuing system credentials and granting system access, your organisation registers and authorises new internal and external users whose access is administered by the entity. For those users whose access is administered by your organisation, user system credentials should be removed when user access is no longer authorised.
CC6.2 highlights the following points of focus:
Controls Access Credentials to Protected Assets
Information asset access credentials should be created based on an approval from the system's asset owner or authorised custodian.
Eliminates Access to Protected Assets When Applicable
Your organisation should put processes in place to remove credential access when an individual no longer requires such access.
Reviews Appropriateness of Access Credentials
The appropriateness of access credentials should be reviewed on a periodic basis to identify and remove any unnecessary or inappropriate individuals with credentials.
CC6.3
SOC 2 CC6.3 requires that your organisation authorises, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes. As part of this process, you should consider the concepts of least privilege and segregation of duties to meet the organisation’s objectives.
CC6.3 highlights the following points of focus:
Creates or Modifies Access to Protected Information Assets
Processes should be in place to create or alter access to protected information assets based on authorisation from the asset’s owner.
Removes Access to Protected Information Assets
Processes should be in place to remove access to protected information assets when an individual no longer requires access.
Uses Role-Based Access Controls
Role-based access control should be implemented to support the separation of incompatible functions.
Reviews Access Roles and Rules
The suitability of access roles and access rules should be reviewed periodically for unnecessary and inappropriate individuals with access. Access rules should be altered as applicable.
CC6.4
SOC 2 CC6.4 requires that your organisation restricts physical access to facilities and protected information assets (for example, data centre facilities, backup media storage, and other sensitive locations) to authorised personnel to meet your organisation’s objectives.
CC6.4 highlights the following points of focus:
Creates or Alters Physical Access
Processes should be in place to create or modify physical access to your organisation’s facilities, such as data centres, office spaces, and work areas, based on authorisation from the system's asset owner.
Eliminates Physical Access
Processes should be in place to remove access to physical resources when a person or entity no longer requires access.
Evaluates Physical Access
Processes should be put in place to periodically review physical access to ensure consistency with roles and duties.
CC6.5
SOC 2 CC6.5 requires that your organisation discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet your objectives.
CC6.5 highlights the following points of focus:
Detects Data and Software for Disposal
Procedures should be in place to identify data and software stored on equipment to be disposed of, and to make such data and software unreadable.
Removes Data and Software From Organisational Control
Procedures should be in place to remove data and software stored on equipment from the physical control of your organisation and to render said data and software unreadable.
CC6.6
SOC 2 CC6.6 requires that your organisation implements logical access security measures to protect against threats from sources outside your system boundaries.
CC6.6 highlights the following points of focus:
Restricts Access
The types of activities that can take place through a communication channel (for example, FTP site, router port) should be restricted.
Protects Identification and Validation Credentials
Identification and validation credentials should be protected during transmission outside your organisation’s system boundaries.
Requires Additional Authentication or Credentials
Further authentication information or credentials should be required when accessing the system from outside its boundaries.
Implements Boundary Protection Systems
Boundary protection systems (e.g. firewalls, demilitarised zones, and intrusion detection systems) should be put in place to protect external access points from attempts and unauthorised access, and are monitored to detect such attempts.
CC6.7
SOC 2 CC6.7 requires that your organisation restricts the transmission, movement, and removal of information to authorised internal and external users and processes, and protects it during transmission, movement, or removal to meet your organisational objectives.
CC6.7 highlights the following points of focus:
Restricts the Ability to Perform Transmission
Data loss prevention procedures and technologies should be used to restrict ability to authorise and execute transmission, movement, and/or removal of information.
Uses Encryption Technologies or Secure Communication Channels to Protect Data
Encryption technologies or secured communication channels should be used to protect transmission of data and other communications beyond connectivity access points.
Protects Removal Media
Encryption technologies and physical asset protections should be used for removable media, e.g. USB drives and backup tapes, as necessary.
Protects Mobile Devices
Processes should be in place to safeguard mobile devices (e.g. laptops, smart phones, and tablets) that serve as information assets.
CC6.8
SOC 2 CC6.8 requires that your organisation implements controls to prevent or detect and act upon the introduction of unauthorised or malicious software to meet your organisation’s objectives.
CC6.8 highlights the following points of focus:
Restricts Application and Software Installation
The ability to install applications and software should be limited to authorised individuals.
Detects Unauthorised Changes to Software and Configuration Parameters
Processes should be put in place to detect changes to software and configuration parameters that may indicate unauthorised or malicious software.
Uses a Defined Change Control Process
A management-defined change control process should be used for the implementation of software.
Uses Antivirus and Anti-Malware Software
Antivirus and anti-malware software should be implemented and preserved to provide for the interception or recognition and remediation of malware.
Scans Information Assets from Outside the Entity for Malware and Other Unauthorised Software
Procedures should be in place to scan information assets that have been transferred or returned to the entity’s custody for malware and other unauthorised software, and to remove any items detected prior to its deployment on the network.
